RISK MANAGEMENT STRATEGY - Aintree University Hospital · Aintree University Hospital NHS Foundation Trust Risk Management Strategy – October 2018 5/22 1. Introduction The Trust

1/22

RISK MANAGEMENT STRATEGY

Author with contact details

Dianne Brown, Chief Nurse Caroline Keating, Director Corporate Governance/Trust Secretary Telephone: No. 0151 529 5860 or 0151 529 4766 E.mail: [email protected] [email protected]

Original Issue date 2003

Issue Date: October 2018 Review Date: October 2019

Level Trust wide

Location of Staff applicable to

All staff across the Trust Staff groups applicable to

To all staff groups

To be read In conjunction with / Associated Documents:

Document Control SOP

Risk Management Policy and Procedure

Incident Reporting and Management Policy

Investigations of Incidents, Claims and Complaints SOP

Management and Resolution of Complaints and Concerns Policy

Claims Handling Policy & Procedure

Speak Out Safely Policy

Health & Safety Policy

Assurance & Escalation Framework

Being Open and Duty of Candour Policy

.

Information Classification Label

NHS Confidential NHS Protect Unclassified

Access to Information To access this document in another language or format please contact the policy author.

Document Change History (changes from previous issues of policy (if appropriate) :

Issue Number Page Changes made with rationale and impact on practice

Date

12 Total Document Review September 2017

13 Total Document Review October 2018

mailto:[email protected]

Aintree University Hospital NHS Foundation Trust

2/22

Risk Management Strategy

CONTENTS

Page No

Executive Summary & Risk Management Policy Statement 3

1 Introduction 5

2 Key Principles 5

3 Risk Appetite 7

4 The Risk Management Process 8

5 Responsibilities 8

6 Monitoring & Review 14

7 Continual Improvement of the Strategy 15

8 Human Rights, Equality & Diversity 15

9 Accessibility Statement 15

Page No

Appendices

1 Levels of Risk Appetite and Scoring Matrix 16

2 Trust Governance Structure 18

3 Risk Escalation Process 20

4 Risk Matrix 21

5 Monitoring & Review Template 22

6 Glossary of Terms 23


Risk Management Strategy – October 2018 3/22

Executive Summary and Management Statement

Aintree University Hospital NHS Foundation Trust’s (“Aintree” or “the Trust”) risk management strategy

sets out the corporate framework and processes required for successful delivery of the Trust’s risk

management policy statement. It is supported by procedures, guidance and other documents to ensure

that a consistent and standardised approach to risk management is adopted across the organisation,

providing assurance that risks are managed effectively. Supporting documents include the risk

management implementation plan which is produced annually and outlines specific activities.

Figure 1: The Corporate Risk Management Framework

Aintree’s risk management policy statement explains why it is important for us to manage our risks and

the benefits of doing this. The statement is set by the Board of Directors and, to demonstrate our

commitment, it has been signed by both the Chief Executive (on behalf of the Executive), and the

Chairman (on behalf of the Board).

The Trust believes that effective risk management is imperative not only to provide a safe environment

and high quality of care for service users and staff, it is also critical in the business planning process

where a more competitive edge and greater public accountability in delivering healthcare services is

required. Risk management is the responsibility of all within the Trust.

Aintree is committed to working in partnership with staff to make risk management a core organisational

process and to ensure that it becomes an integral part of Trust philosophy and activities. The Risk

Management Strategy encourages appropriate risk taking, effective performance management and

accountability for organisational learning in order to deliver continuous improvement in the quality of

services. As part of this, the Trust undertakes to ensure that appropriate resources, including finances,

people, training and information technology is made available, as far as is reasonably practicable.

The Risk Management Strategy applies to the management of all risks within the Trust.



As part of the Annual Governance Statement, the Trust will make a public declaration of compliance

against meeting risk management standards. The Risk Management Strategy identifies the Trust’s

objectives in relation to risk management and outlines the main processes by which these objectives are

to be achieved.

This strategy is subject to annual review and approval by the Board of Directors.

The Trust’s Risk Management Statement

Aintree University Hospital NHS Foundation Trust is committed to securing the best quality

healthcare for the population we serve. In doing so, it acknowledges that this can only be achieved

through the skill and continuing commitment of its staff.

Aintree University Hospital NHS Foundation Trust will support and help its employees in providing

services which are safe for patients and staff. This will require that all staff understand that “risk

management is everyone’s business” actively identifying risks, adverse incidents, near misses or

hazards. Aintree University NHS Hospital Trust will promote an open and supportive risk culture,

seeking patients’ views, and using the feedback as an opportunity for learning and improving the

quality of our services.

Chairman ………………………………….. Chief Executive …………………………………

Date:



1. Introduction

The Trust accepts that it carries a number of risks which have the potential to cause harm to patients,

staff and visitors and loss to its assets and reputation if not properly managed and controlled.

It is accepted that, given the nature of the service provided by the Trust, some risks cannot be totally

eliminated. However, it is essential that the Trust has in place good risk management systems and

practices which eliminate risk wherever possible and reduce the impact of those risks that cannot be

eliminated to an “acceptable level”.

Aintree takes an integrated approach to risk management across the organisation, which embraces all

risks. The Board of Directors will set Aintree’s risk appetite which will determine the strategic

governance arrangements for the Trust and create an environment and structure for risk management to

operate effectively.

Aintree is committed to understanding the causes of risk that may impact on the organisation,

addressing issues in compliance with the organisation’s risk management methodology, thereby

improving the quality, safety and effectiveness of the services provided.

The Trust will endeavour to apply a proactive risk-based approach to all aspects of its undertakings, its

activities and condition of its estate. This will be achieved using the Trust’s risk assessment

methodology as a tool to identify potential hazards and associated risks and to ensure appropriate

control measures are identified and implemented

2. Key Principles

2.1 Purpose of the Risk Management Strategy

The purpose of the Strategy is to detail the framework which defines the Trust’s governance

arrangements ie. the way the Trust leads, directs and controls the risks to its key functions in

order to comply with health and safety legislation, its Provider Licence, CQC registration and the

Trust strategic objectives.

NHS Improvement has established a ‘Single Oversight Framework’ to ensure there is a clear

compliance framework so that all Trusts are able to demonstrate that they are remaining within

their agreed provider licence. It is therefore important that the Trust is aware of any risks (e.g.

associated with new business or service changes) which may impact on its ability to adhere to

this framework.

The Strategy underpins the Trust’s reputation and performance and is fully endorsed by the

Board of Directors.

2.2 Scope of the Strategy

Everyone is responsible for making sure that risks associated with the activities and assets they

are responsible for, are identified, assessed and managed, in accordance with the Trust’s risk

management system and processes. The Strategy applies to the management of all risks within

the Trust associated with the services, operations and business.



The Board of Directors has overall responsibility for the governance of risk management in

Aintree with identified committees having delegated responsibilities. The Clinical Governance

and Risk team is responsible for developing and managing the implementation of the Trust’s risk

management policy documents. Divisional managers are responsible for developing and

implementing local policy documents which align with the Trust documents.

2.3 Link between Risk Management and Corporate Governance

The Trust has adopted an integrated governance approach to the management of risk.

Integrated governance is defined as;

“the systems, processes and behaviours by which we lead, direct and control our functions in

order to achieve our organisational objectives and the safety, quality and value for money of

services as they relate to patients and carers, the wider community and partner organisations”.

Corporate Governance is the system by which an organisation is directed and controlled at its

most senior level to achieve the Trust’s objectives and meet the standards of accountability and

probity.

The Trust is required to demonstrate that it is doing ‘’its reasonable best to manage risk’’. In

practice, this means having systems and processes in place to identify, assess, evaluate and

assign responsibilities to manage risks within the Trust. This is achieved by ensuring that risk

management and corporate governance is an integrated process through which the organisation

will identify, assess, analyse and manage risks and incidents at every level of the organisation

and aggregate the results at a corporate level. The Trust, therefore:

Integrates risk management into all decision-making processes

Integrates all risk management functions including patient safety, safeguarding, health and

safety, complaints and litigation

Integrates risk management functions with service developments and clinical governance

activity to unify frameworks and improve patient safety

Implements a consistent approach to investigation of risks and incidents.

2.4 Trust Objectives

The Board recognises that the implementation of an effective risk strategy and risk management

process is key to the delivery of the Trust’s objectives, the development of a positive learning

environment and a risk aware culture. The tool the Trust will use to facilitate this is the Board

Assurance Framework (BAF).

The BAF contains those principal or strategic risks that without effective mitigation have the

potential to fundamentally impact on the Trust’s objectives. They are agreed annually by the

Board and kept under regular review.

The Trust Board has defined a principal risk for purposes of the BAF as:

“Those risks that if realised could fundamentally affect the way in which the Trust exists or

provides services in the next one to three years. These risks should they occur will have a

detrimental effect on the achievement of one, some or all of the Trust’s objectives. The risk

realisation will lead to material failure, loss or lost opportunity.”



The strategic risks in the BAF are monitored at the appropriate Board Committee and a summary

of these risks are monitored and reviewed on a monthly basis by the Executive Team with an

update provided by the Trust strategic risk lead (Executive Director) to ensure that risks are

appropriately managed and mitigated against. The Corporate Report of the Trust’s Risk Register

details the high level operational risks which may impact on the BAF and these are monitored by

the Executive Led Groups and escalated where appropriate to the Hospital Management Board

(HMB) and the relevant Board Committee (Appendix 2).

The Audit Committee, which has responsibility for ensuring that the Trust’s risk management

remains effective, will undertake a review of the BAF process at least annually.

The BAF directly underpins the Annual Governance Statement (AGS) and is the subject of

annual enquiry by Internal and External Audit.

3. Risk Appetite

The Trust recognises that it is impossible and not always appropriate to eliminate all risks.

Systems of control must be balanced in order that innovation and the use of limited resources are

supported when applied to healthcare. Additionally, the Trust may be willing to accept a certain

level of risk when the cost of mitigating the risk is high in comparison to the potential severity of

the risk and the likelihood of it occurring. The Board will set the risk appetite annually for the

risks identified on the BAF.

The following statement has been approved by the Board in support of its risk appetite1.

1 Approved by the Board of Directors – January 2017

The Trust recognises that its long term sustainability depends upon the delivery of its strategic

objectives and its relationships with its patients, staff, the local community and strategic partners.

As such, the Trust has a minimal appetite for risks that impact on quality of care i.e. to be safe,

effective and providing a positive patient experience. Related to this, the Trust has a minimal risk

appetite relating to regulatory non-compliance.

The Trust has a moderate appetite to take considered risks in terms of their impact on financial

stability in challenging working practices in pursuance of its commitment to clinical excellence,

providing that patient safety and experience is not adversely affected. Similarly, the Board has only

a moderate appetite to risks associated with the development of its people and demonstrating

effective leadership recognising that both of these elements are key to ensuring quality service and

care to patients and achieving the Trust objectives

The Board has greatest appetite in seeking strategic transformation of healthcare across Merseyside

and the planned merger with the Royal Liverpool and Broadgreen University Hospitals NHS Trust, as

well as developing wider effective partnerships and alliances where positive gains can be anticipated

providing they are done so within the regulatory environment.



4. The Risk Management Process

The Trust’s risk management process is embedded at all levels as an integral part of Aintree’s

Risk Management Strategy and is supported by a robust training programme.

Through the organisational governance structure (Appendix 1), the Trust has systems in place to

identify risks, assess their impact and devise strategies to evaluate, manage and control them.

This system provides the Trust with an assurance that risks to which the Trust may be exposed

are managed and controlled at an appropriate level. This process is supported by the risk

escalation process (Appendix 2).

Appendix 3 contains the Risk Matrix details of the risk grading for the likelihood and consequence

scoring. These are supported by relevant risk management policy documents which provide

detailed guidance. The policy documents are used proactively to identify foreseeable risks and

ensure that those risks are evaluated with adequate control measures implemented and the

findings communicated appropriately.

Risks assessments, dependent on the risk score awarded, are recorded on the relevant risk

register and monitored and reviewed in compliance with respective Divisional governance

structures and risk management processes.

Communication and consultation is important at all stages of the risk management process. For

example, when undertaking a risk identification and assessment it is important that the right

people are involved, and when risk mitigations are identified it is important the people

implementing actions are informed.

5. Responsibilities

The Risk Management Strategy will ensure that its risk management arrangements meet the

requirements of regulatory bodies that directly assess the overall adequacy of the Trust’s risk

management arrangements including:

5.1 Statutory

Health & Social Care Act 2008 – the Trust is legally required to register with the Care

Quality Commission under the Health & Social Care Act 2008 and, as a legal requirement of

the Trust’s registration, must protect patients, workers and others

Management of Health & Safety at Work Regulations 1999 (as amended) – the Trust is

required to undertake a suitable and sufficient assessment of the risks to the health and

safety of all employees and persons not in its employ to which they are exposed to whilst at

work and arising out of or as a result of the Trust’s activities

Health and Safety at Work Act 1972 (HASWA) – Section 2 places a duty on the Trust to

ensure, so far as is reasonably practicable, the health, safety and welfare of all employees

and anyone who may be affected by its work activities.



5.2 Mandatory

NHS Improvement (NHSI) is the sector regulator for health services in England. It

authorises and regulates NHS foundation trusts ensuring they are well led (governance) and

run efficiently (financial) so they can continue delivering good quality services for patients in

the future. NHSI has created a risk-based system of regulation which determines the

intensity of the monitoring it undertakes. The Trust is required to demonstrate compliance

with its Licence and the Single Oversight Framework.

The Care Quality Commission (CQC) is the independent regulator of health and adult social

care services in England. The Trust is required to provide reasonable assurance to the CQC

of its compliance against their essential quality and safety standards.

Approved Codes of Practice (ACoP) – these have a quasi legal status that assist the Trust

to ensure that it operates within the legal framework.

RSM Risk Assurance Services LLP is the Trust’s independent internal auditors who

develop and deliver an annual internal audit programme for the Trust. This includes verifying

that the Trust has suitable and effective systems of internal control with respect to risk

management in place and that these are effective.

Pricewaterhouse Coopers LLP is the Trust’s independent external auditors appointed by

the Council of Governors. The external auditors provide an unbiased and independent

opinion on the Annual Report & Accounts which includes the Annual Governance Statement.

5.3 Organisational

5.3.1 Organisational Accountability – Governance & Risk Management Committees

The Board of Directors is ultimately accountable for ensuring that the Trust is complying with the

terms of its Provider License which includes its arrangements for integrated governance and

effective risk management.

The Board has identified the strategic risks that it considers are the key risks likely to impact on

the delivery of the Trust’s objectives and overall strategy. Its Board Committees have

responsibility for monitoring the effectiveness of the controls and assurances in place to manage

these risks. The Corporate Governance Framework Manual2 references the delegated

responsibility from the Board to its Committees which is reflected in their terms of reference. The

current terms of reference for the Board Committees were approved by the Board of Directors in

April 2018. The responsibilities for the respective committees/groups are outlined in Table 1

overleaf.

2 Available on the trust website



Name Responsibilities

Quality Committee

Its purpose is to enable the Board to obtain assurance that high

standards of care are provided by the Trust and, in particular, that

adequate and appropriate governance structures, processes and

controls are in place throughout the Trust to identify, prioritise and

manage risk arising from clinical care.

Audit Committee

Its primary role is to provide the Board of Directors with a means of

independent and objective review of financial and corporate

governance, assurance processes and risk management across the

whole of the Trust’s activities.

Finance &

Performance

Committee

This Committee will review the financial prospects of the Trust and

approve the key financial assumptions used in strategic and business

planning.

Workforce

Executive Led

Group

Its purpose is to oversee the execution of the People and Organisational

Development Strategy and associated key delivery plans. It will provide

assurance to the Board Committees on workforce issues, taking

account of local and national agendas, and on the specific HR risks

identified within the BAF. It reports through to the Hospital Management

Board (HMB) to provide assurance to the Trust’s senior management

team on significant operational issues.

Safety & Risk

Executive Led

Group

Its purpose is to provide advice and assurance to the Quality Committee

on the delivery of the Risk Management Strategy and operational

management of risks within the Trust held on the Corporate Risk

Register. It is responsible for escalating to the Quality Committee those

risks and concerns requiring senior input. It reports through to the

Hospital Management Board (HMB) to provide assurance to the Trust’s

senior management team on significant operational issues.

Clinical

Effectiveness

Executive Led

Group

Its purpose is to provide advice and assurance to the Quality Committee

on the clinical risks within the Trust held on the Corporate Risk Register.

It is responsible for escalating to the Quality Committee those risks and

concerns requiring senior input. It reports through to the Hospital

Management Board (HMB) to provide assurance to the Trust’s senior

management team on significant operational issues.

Patient Experience

Executive Led

Group

Its purpose is to oversee the delivery of patient experience improvement

plans, identify risks associated with areas of performance and escalate

any concerns requiring senior input to the Quality Committee. It reports

through to the Hospital Management Board (HMB) to provide assurance

to the Trust’s senior management team on significant operational

issues.

Operations &

Performance

Executive Led

Group

Its purpose is to provide advice and assurance to the Finance &

Performance Committee on the operational delivery of hospital services

ensuring that mechanisms are in place to address, monitor and manage

operational issues within the Trust. It reports through to the Hospital

Management Board (HMB) to provide assurance to the Trust’s senior

management team on significant operational issues.

Hospital

Management Board

(HMB)

It provides advice to the Board on the direction and operational

management of the Trust. It takes on the role of leadership, developing

the overall strategy of the Trust and ensuring the delivery of strategic



Name Responsibilities

objectives and the mitigation of strategic risk through a focus on clinical

quality, performance and delivery.

Divisional

Assurance Groups

These groups are responsible for reviewing and controlling the risks

within their Divisions as part of the development of divisional and

corporate risk registers and escalating those risks to the relevant

Executive Led Group.

High risks that cannot be controlled and which emanate from the

Divisions are to be escalated to the Corporate Risk Register, treated by

the Executive Team and de-escalated and sent back to the appropriate

source.

Table 1: Committee Responsibilities

5.3.2 Organisational Accountability: Executive Leadership

The following table outlines the roles and responsibility for risk management within the

organisation:

Individual(s) Responsibilities

Lead Executive Directors

Chief Executive The Chief Executive has overall responsibility for risk management.

As Accounting Officer3, the Chief Executive has responsibility for

maintaining a sound system of internal control that supports the

achievement of the Trust’s policies, aims and objectives, whilst

safeguarding the public funds and departmental assets. The Chief

Executive is also responsible for ensuring that the Trust is

administered prudently and economically and that resources are

applied efficiently and effectively. This includes:

ensuring that employees and the public are properly protected

against exposure to risks arising out of or as a result of the Trust’s

activities

ensuring that the appropriate arrangements are in place to

manage risks within the organisation. This includes ensuring an

effective structure and system is in place to allow those who

create risks to manage them responsibly

signing the Annual Governance Statement in the annual report

and accounts on behalf of the Board

enabling individuals whether these are patients, staff, visitors etc

to understand that, as well as having the right to remain safe

without risk of harm, they too must act responsibly.

3 NHS Foundation Trust Accounting Officer Memorandum




The Chief Executive has delegated responsibility for delivery within

the management structure to the Corporate Directors for their

respective areas.

Deputy Chief

Executive/Integration

Director

Nominated by the Chief Executive as the Executive Director

responsible for the management of risk relating to the proposed

merger transaction.

Medical Director


responsible for the management of risk relating to clinical

effectiveness, research & development and professional

responsibility for medical practice within the Trust.

The Medical Director is the nominated Caldicott Guardian and has

responsibility for the safety of patient data.

Chief Nurse Nominated by the Chief Executive as the Executive Director

responsible for the management of risk relating to quality

improvement, patient safety and patient experience, clinical

governance including risk management, safeguarding vulnerable

adults & children as well as professional responsibility for nursing and

allied health professionals.

The Chief Nurse is the Director for Infection Prevention and Control

and is also the Executive Lead for the Risk Management Strategy.

Director of Finance &

Business Services


responsible for the management of risk relating to systems of

financial control, standards of business conduct and counter fraud,

financial governance and associated risks.

The Director of Finance & Business Services is the nominated Senior

Information Risk Owner (SIRO) and is responsible for information

governance risk assessment and management processes.

Chief Operating

Officer


responsible for the management of risk relating to the management of

organisational operational issues, lead for service improvement and

transformation across the Clinical Divisions as well as emergency

preparedness resilience and response.

Director of

Workforce & OD

Nominated by the Chief Executive as the lead Director responsible for

the development and delivery of the Trust’s People and OD Strategy,

develop a values driven culture, maximizing education and learning

opportunities and management of risk relating to the Trust’s

workforce and associated policies.

Director of Estates &

Facilities

Nominated by the Chief Executive as the lead Director responsible for

the management of risk relating to health & safety as well as the

hospital’s physical environment.




Non-Executive Director Responsibility

Non-Executive

Directors

The Chairman and Non-Executive Directors exercise non-executive

responsibility for the promotion of risk management through

participation in the Trust Board and its committees. They are

responsible for scrutinising systems of governance. They have the

responsibility to ensure that the Chief Executive and Executive

Directors are held to account for their risk management

responsibilities.

Individuals with Specific Responsibilities for Risk Management

Director of Corporate

Governance/Trust

Secretary

Responsibility to review all corporate governance arrangements that

might affect the Trust to ensure that the Board is fully briefed on

these matters and has regard to them when taking decisions and to

advise the Board on the strategic risks identified in the BAF.

Associate Director of

Quality Governance

Oversees and supports the implementation of the risk functions and

has responsibility for the implementation of the Risk Management

Strategy and aligned risk management policy documents within the

Trust as well as the implementation of the risk management

framework.

Associate Medical

Directors

Responsible for the management of risk relating to the areas of their

portfolio.

Divisional Medical

Directors

Ultimate responsibility for the implementation of the Risk

Management Strategy and policy within their division.

Divisional Directors

of Operations

Responsibility for the operational implementation of the Risk

Management Strategy and policy within their division.

Divisional Directors

of Nursing

Responsibility for the management of clinical and non-clinical risk

within their division and for advice regarding patient safety.

Clinical Risk

Manager

Responsibility for ensuring systems and processes relating to clinical

risk management are embedded throughout the Trust, including

clinical incident reporting and investigations; ensuring lessons learnt

from adverse events are shared throughout the governance structure;

reviewing risk assessments to identify risks which are prevalent

across the organisation.

Risk & Legal

Services Manager

Responsibility for ensuring systems and processes relating to

litigation are embedded throughout the Trust; ensuring equitable and

cost effective resolution of claims; and for the Trust’s incident

reporting procedure for all non-clinical incidents.

Health and Safety

Manager

Responsibility for ensuring systems and processes relating to non-

clinical risk management are embedded throughout the Trust.

Divisional

Governance Leads Responsibility for providing advice and support to Clinical Business

Units on all issues relating to this strategy and associated policy

documents; ensure departments have an active risk register and that

risks are updated; ensure risk assessments are undertaken and

provide quality assurance checks; ensure systems and processes are

established with the Division to manage risks and incidents.




Clinical Director of

Pharmacy Responsibility for the delivery of safe medicines management and as

the Accountable Officer for Pharmacy to ensure total compliance with

legislation for controlled drugs.

All Managers/Heads

of Service

Responsibility for the local implementation of this Strategy and

associated policy documents in their departments, wards and/or other

clinical and non-clinical areas.

All staff

Responsibility for compliance with the requirements of this Strategy

and associated policy documents; awareness of the risks identified

within their working environment and how their role impacts on those

risks; reporting hazards or threats to the ward or department manager

taking reasonable steps to reduce the risk if possible.

Table 2: Individual Responsibilities relating to risk management

5.4 Third Party Organisations

Specific risks identified by the Trust will be shared with any other relevant organisation working in

partnership with the Trust. Likewise, the Trust expects that any relevant risks identified by

partners will be shared with the Trust.

6. Monitoring and Review

Monitoring assesses how well risk management across Aintree is performing (performance

monitoring) and if it is delivering the objectives and benefits defined in the Risk Management

Policy documents. This monitoring covers input indicators (eg. compliance with risk management

requirements, progress with risk plans, etc) and output indicators (eg. near miss and accident

rates).

Risk management performance will be monitored and reviewed according to the process

identified in Appendix 4 to ensure that risk management in Aintree is effective and provides

support for the successful delivery of the Trust’s objectives. The monitoring and review covers:

Regular reviews of the potential events or uncertainties (ie. what could go wrong) and how

they are being managed. On an individual basis, this includes consideration of the level of

risk, progress with risk mitigation actions and the current effectiveness of risk measures /

controls / contingencies. Concerns should be escalated to the appropriate management level

for consideration and response

Investigations of reported near misses and incidents to understand root causes, and to

develop risk mitigation actions (specific measures / controls and contingencies) and to

improve Aintree’s risk management system framework

Gaining assurance that (i) the measures / controls / contingencies are in place and

performing as specified, (ii) risk plans are being progressed and (iii) we are working in

accordance with our risk management system and processes. This is achieved in three

parts:



o Self-assessment – Line managers are responsible for including self-assessment

activities in their quality improvement plans and the identification of any risks arising from

these.

o Internal audit – The Audit Committee will set and review the internal audit requirements

which will focus on assessing the measures / controls / contingencies of greatest

importance in mitigating the risks to the organisation

o External audit - The Board will respond to external audit and legislative requirements

(eg. CQC audits). Typically, these audits will focus on compliance with standards and

legal requirements, assessing the measures / controls / contingencies of greatest

importance in mitigating risk, and on the effectiveness of the risk management framework.

The above will inform the Board Assurance Framework which is provided to the Board of

Directors so they can make a judgment on how effectively the strategic risks are being managed.

7. Continual Improvement of the Strategy

Based on results and a wider understanding of the context, decisions will be made on how to

improve the risk management policy, framework, processes and tools. These decisions will be

aimed at improving the management of risk and risk culture throughout the organisation.

The Risk Management Strategy will be reviewed annually.

8. Human Rights, Equality & Diversity

The Strategy has been assessed against the Trust’s Equality Impact Assessment Form which

has identified that there is no impact on any Equality Target Group.

Implications arising from the Human Rights Act have been taken into account in the formulation

of this Strategy and have, where appropriate, been fully reflected in its wording.

9. Accessibility Statement

This document can be made available in a range of alternative formats on request eg. large print,

Braille etc.


Risk Management Strategy –October 2018 16/22

Appendix 1 – Trust Governance Structure





Appendix 2 – Risk Escalation Process

BOARD OF DIRECTORS (BAF quarterly)

Board Committees

Divisional Assurance Group

CBU/Directorate Governance/Assurance Meetings

Incidents Complaints

Claims

External Assessments/

CQC/NHSI

Ad hoc Risk

Assessments

Health and

Safety

RISK REGISTER

S

C

R

U

T

I

N

Y

A

S

S

U

R

A

N

C

E

Board Assurance Framework and submitted to the Board and monitored through Board

governance and assurance

committees

Any risk scoring 15 or above and/or impacting across the Trust is escalated to the Corporate risk register and with agreement with relevant Exec would recommend

risks to be incorporated into BAF

All risks 15 or above (corporate or divisional added to corporate risk register) and any risks that

cannot be managed regardless of score to be escalated by the

Divisions to Exec Led Safety and

Risk Group

Service/Divisional risks reviewed at Service Governance Forums

and escalated to Harm Free Care Meetings for decision to include

on risk register

Risk Assessments completed at local level

Audit/Non-Compliance

NICE Guidance

Safety & Risk Executive Led Group

Risks scoring 9 and above and any risks that cannot be managed

at service level escalated to

Divisional Assurance Group

HMB



Appendix 3 – Risk Matrix

Risk Grading = Likelihood x Consequence (impact) (L x C)

Likelihood

Consequence score 1 2 3 4 5

Rare Unlikely Possible Likely Almost certain

5 Catastrophic 5 10 15 20 25

4 Major 4 8 12 16 20

3 Moderate 3 6 9 12 15

2 Minor 2 4 6 8 10

1 Negligible 1 2 3 4 5

Further details of the descriptors for the likelihood and consequence scoring can be found in the Risk Management Policy



Appendix 4

Monitoring and review of the effectiveness of the Trust’s risk management strategy

Key Process /

part of this

policy for which

compliance or

effectiveness is

being monitored

Monitoring

method (ie.

audit, report, on-

going committee

review, survey

etc)

Job title and

department of

person

responsible for

leading the

monitoring

Frequency

of the

monitoring

activity

Monitoring

Committee

responsible for

receiving the

monitoring

report/ audit

outcomes etc

Committee

responsible

for ensuring

that

improvement/

action plans

are

completed

Compliance with

the Risk

Management

Strategy at

Divisional level,

and process for

managing the

risk locally.

Reporting

arrangements

into the Board

Committees and

the Board.

Committee

effectiveness

Review of

effectiveness of

Committees and

Groups with

responsibility for

risk management

(including

reporting

arrangements to

the Board and

Board

Committees)

Associate

Director of Quality

Governance

Director

Corporate

Governance/

Trust Secretary

Corporate

Governance

Team

At least

annually

Board

Committees

Quality

Committee

Compliance with

the process for

Risk Registers

Review of

Divisional and

Corporate Risk

Registers

Associate

Director of Quality

Governance

Quarterly Safety & Risk

Executive Led

Group

Quality

Committee

Ensuring that

strategic risks are

assessed,

reviewed and

aligned with the

strategic

objectives via the

Board Assurance

Framework

Review of the

Board Assurance

Framework,

content and

process.

Director

Corporate

Governance/

Trust Secretary

Quarterly Executive Team

Board of

Directors

.



Appendix 5 – Glossary of Terms

Term Definition

Adverse Event Any event or circumstances leading to unintended harm and/or suffering which

results in admission to hospital, prolonged hospital stay, significant disability at

discharge or death

Board Assurance

Framework (BAF)

The BAF is a tool by which the Board corporately assures itself about the

successful delivery of the Trust’s strategic objectives. The BAF is designed to

focus the Board on controlling principal risks threatening the delivery of those

objectives. The BAF aligned principal risks, key controls and assurances on the

operation of controls

Consequence The outcome of an event being a loss, injury, disadvantage or gain in respect of

the physical, emotional, financial, social or credibility status of the individual or

organisation

Controls

Assurance

A process designed to provide evidence that the NHS in total (and its constituent

parts) is doing its reasonable best to manage, direct and control itself so as to

protect itself, its employees, patients and stakeholders safety and interests

against risks of all kinds

Cost Activities, both direct and indirect, which result in a negative outcome or impact for

an individual or the organisation. Cost includes money, time, labour, disruption,

goodwill, political and intangible losses

Current risk The risk of the risk still being realised, despite the actions required being adopted.

This is represented by the risk being rescored post action and can be

supplemented by a narrative

Event Incident or situation occurring in a particular place during a particular interval of

time

Hazard A source of potential harm, or a situation with the potential to cause loss

Incident Any unplanned event or circumstance resulting in, or having a potential for injury,

ill health, complaint, damages or loss

Incident

Reporting &

Investigation

A formal, structured process and approach to enable the occurrence of incidents

to be reported, recorded and the root cause of reported incidents identified, in

order to manage risk exposure and identify required corrective actions.

Likelihood A qualitative measure/description or probability or frequency

Monitor To check, supervise, observe critically or record the progress of an activity, action

or system on a regular basis in order to identify change

Probability The likelihood of a specific event or outcome occurring. This is measured by the

ratio of specific events or outcomes to the total number of possible events or

outcomes. Probability is expressed along a scale ranging from impossible to

certain

Risk The chance of something happening that will have an impact upon objectives. It

is measured in terms of consequences and likelihood

Risk Acceptance An informed decision to accept the identified consequences and likelihood of a

particular risk



Term Definition

Risk Analysis A systematic use of available information to determine how often specified events

may occur and the magnitude of their consequences

Risk Appetite Risk appetite is the amount of risk that an organisation is prepared to accept,

tolerate, or be exposed to at any point in time.

Risk Assessment The overall process of risk analysis and evaluation

Risk Avoidance An informed decision not to become involved in a risk situation

Risk Control That part of risk management which involves the development and

implementation of policies, standards, procedures and/or physical changes to

eliminate or minimise adverse events or risks

Risk Evaluation The process used to determine risk management priorities by comparing the level

of risk against pre-determined standards, target risk levels or other criteria

Risk Identification The process of determining what can happen, why and how

Risk Management The culture, processes and structures that are directed towards the effective

management of potential opportunities and/or adverse effects

Risk Management

Process

Systematic application of management policies, procedures and practices to the

tasks of establishing the context of risk and then identifying, analysing, evaluating,

treating, monitoring and communicating risk

Risk Reduction The application of appropriate techniques and management principles, to reduce

either the likelihood of an occurrence, or its consequences or both

Risk Transfer Shifting the responsibility or burden for loss to another party through legislation,

contract, insurance or other means. Risk transfer can also refer to shifting a

physical risk or part thereof elsewhere

Risk Treatment Selection and implementation of appropriate options and action plans for dealing

with risk

Serious Incident A serious incident requiring investigation is defined as an incident that occurred in

relation to NHS funded services and care resulting in unexpected or avoidable

death, serious harm, permanent harm (National Patient Safety Agency (NPSA),

2008)

Stakeholders Those people and organisations who may affect, be affected by or perceive

themselves to be affected by a decision, action or activity

System Failure A non-conformance with, malfunction or, or deviation from a defined management

system. A system failure may also be defined as inadequate performance, non-

participation in or non-application of a defined management system or process.